feat(rules): add $redacted dynamic variable for masking sensitive values

Introduces a new `$redacted` dynamic variable that wraps its single argument with `strutils.Redact`, allowing sensitive values (e.g., authorization headers, query parameters) to be masked in rule expressions. The variable accepts exactly one argument, which may itself be a nested dynamic variable expression such as `$header(Authorization)` or `$arg(token)`, enabling patterns like `$redacted($header(Authorization))`. Adds corresponding tests covering plain string redaction, nested header and query arg wrapping, and the error case when no argument is provided.
2026-04-23 16:58:31 +02:00 · 2026-02-24 15:17:28 +08:00
parent 77f2779114
commit 0eba045104
2 changed files with 92 additions and 0 deletions
--- a/internal/route/rules/vars_dynamic.go
+++ b/internal/route/rules/vars_dynamic.go
@@ -6,6 +6,7 @@ import (
 	"strconv"

 	httputils "github.com/yusing/goutils/http"
+	strutils "github.com/yusing/goutils/strings"
 )

 var (
@@ -15,6 +16,7 @@ var (
 	VarQuery          = "arg"
 	VarForm           = "form"
 	VarPostForm       = "postform"
+	VarRedacted       = "redacted"
 )

 type dynamicVarGetter struct {
@@ -94,6 +96,17 @@ var dynamicVarSubsMap = map[string]dynamicVarGetter{
 			return getValueByKeyAtIndex(req.PostForm, key, index)
 		},
 	},
+	// VarRedacted wraps the result of its single argument (which may be another dynamic var
+	// expression, already expanded by expandArgs) with strutils.Redact.
+	VarRedacted: {
+		phase: PhaseNone,
+		get: func(args []string, w *httputils.ResponseModifier, req *http.Request) (string, error) {
+			if len(args) != 1 {
+				return "", ErrExpectOneArg
+			}
+			return strutils.Redact(args[0]), nil
+		},
+	},
 }

 func getValueByKeyAtIndex[Values http.Header | url.Values](values Values, key string, index int) (string, error) {